Featured reads
Security Research
Security research and analysis with Netlas.io
white paper
Fast one-shot passive recon script with Netlas.io
blog post
How to find online cameras with Netlas.io?
blog post
Threat hunting
Non-intrusive security assessment
OSINT investigations
Reputation scoring
Security analysis
Security of IoT and Industrial devices
Vulnerable devices search
Uncover shadow IT and phishing threats
Attack surface identification
3-4 times per year
Please, sign in to manage newsletter subscription
Important updates, sales and promos
1-2 posts per week
Newest CVE, featured search queries
updates and announcements
Swagger UI
Handy web tool for testing Netlas API
Official Python SDK and command line utility
Netlas SDK
Netlas Blog
In-depth features overview & case studies
Netlas Cookbook
An ultimate guide on how to make the most of Netlas.io
Scripts & Code Samples
Useful scripts to create you own automations
Featured queries
Search queries for IoT, routers, IP cameras & more
Netlas usage, API specification, SDK & CLI installation
Restricted mobile device support
For a better experience please use screens with a horizontal resolution of 1280 pixels or more
Reconnaissance, security assessment, security research,
and other cases
dev tools,
code samples,
and other resources

Restricted mobile device support
For a better experience please use screens with a horizontal resolution of 1280 pixels or more
Netlas For security analysis

OSINT investigations with Netlas.io

A comprehensive view of an organization's digital presence, security posture, and technological infrastructure.
When using Netlas.io for an OSINT investigation of an organization, you can find a variety of data types that could be insightful for cybersecurity analysis, market research, and other investigative purposes.

Building a company profile

With Netlas, you can build a comprehensive technical overview of a company. Here's an overview of the types of data you might uncover:
Network Infrastructure
Details on the network infrastructure, such as ASN (Autonomous System Number) information, which can help in understanding the organization's internet service providers (ISPs) and network size.
Geographical Distribution
Geolocation data of the IP addresses, showing the physical locations of servers and other devices, which can illustrate the geographical reach of the organization's infrastructure.
Device and Service Footprint
Information about the servers, including web servers, mail servers, and other application servers, detailing the technologies and software versions in use.
Technological Profile
The technology stack used by the organization, including web server types, programming languages, and content management systems (CMS), which can inform about the organization's technical capabilities and preferences.
External Partnerships
Digital presence on SaaS platforms such as Slack, Atlassian, DocuSign, ServiceNow, etc. Content Delivery Networks (CDNs) or third-party services (like DDoS protection or external WAF) in use, which can be relevant for understanding dependencies and external partnerships.
Security Posture
Exposed services and open ports that might be vulnerable or misconfigured, indicating potential security risks. Specific vulnerabilities associated with the devices and services identified, based on known vulnerabilities of the software versions detected.
Web Content and Metadata
Snapshot or metadata of web content hosted by the organization, which can include titles, descriptions, and keywords. Searching resources published on subdomains can sometimes even lead to sensitive documents.
Let's explore a few particular information gathering areas to grasp the depth of this subject.

Company email addresses

APIs designed to retrieve publicly available organization emails can significantly streamline OSINT and cybersecurity tasks. Netlas may not primarily focus on supplying contact information, yet it can serve as one of your data sources for this purpose.
Given the breadth of Netlas's data collections, you're apt to discover numerous relevant contacts for the businesses you're targeting. You can retrive data from:
  • Internet scan data (not only http, but dozens of supported protocols);
  • WHOIS data for domains and IP addresses;
  • SSL certificates.
Through the API, accessing contacts from Netlas's extensive data archives is straightforward. If you are regulary encounter this task, you can download a Python script that searches for email addresses by given domain name in all data collections. This and many others handy scripts published on one of Netlas Github repositories.

Search for internal documents

Subdomains are often used to host various internal services, such as development environments, staging areas, and internal documentation. If this documentation are accidentally exposed to the public internet, it can become a treasure trove of sensitive information.
There are two strong reasons to use Netlas in addition to traditional search engines to find document links:
  • While search engines such as Google may not scan subdomains that employ robots.txt or noindex tags, Netlas archives responses from all known subdomains.
  • Utilizing Netlas in conjunction with other search engines ensures that you're accessing previously gathered data, rather than directly interacting with a company's infrastructure. Consequently, your activities remain untraceable.

netlas-scripts % python3 netlas_docs_by_domain.py bankofamerica.com | grep employ             
In the Netlas Scripts repository, you'll find another handy script. This script iterates through scan outcomes for a specific domain and all its subdomains, searching for links to files, like TXT, DOCX, PDF and others.
We considered only two small areas of information collection. Using the API, you can expand or build your own solution for OSINT investigations. Refer to the documentation and sample scripts to learn more about the Netlas API.
Get your free Netlas.io account!
Sign up to get up to 50 requests/day for free.
Related articles